In the context of the future Guidelines on the information to be provided for the authorization as payment institutions and e-money institutions and for the registration as account information service providers, under the revised Payment Services Directive, LINXO, BANKIN and BUDGET INSIGHT, members of France FinTech share the general objectives claimed.
We believe that greater transparency and clarity in respect of the information that an applicant has to submit as part of an application for authorization will allow applicants to be better prepared. This clarity will avoid unnecessary disappointments and reduce the number of uncomplete applications because of a lack of information. This will also create the condition of a level playing field as all entities providing the same services will be subjected to the same obligations everywhere in Europe. Yet we call for a tailored-made approach adapted to the nature of the payment services provided, in respect of the proportionality principle. Indeed, with the digital innovation, many PIS or AIS are young companies. They provide services that allow consumers to better manage their money and savings. Their recognition in the DPS2 shows that the decision-makers understand the benefit for consumers. This recognition goes together with responsibilities. But imposing a long list of requirements whose impacts on security is questionable, could be detrimental for AIS and PIS entities. Ensuring the highest level of consumer’s protection cannot be a disguised method of blocking with administrative burden AIS and PIS, which do not have the same administrative resources as other payments institutions.
The level of information required for PIS and AIS is disproportionate with the objective of security and customer’s protection, leading to a heavy burden especially for small entities that could be then discouraged to enter the market even though they would provide useful services for the benefit of their clients.
Therefore we welcome the possibility given by the EBA, through this discussion paper, to contribute to the future guidelines and we call the EBA to consider our position.
We share the vision that a list of information to provide by the applicants will increase the efficiency of the authorization procedure for competent authorities, Members states and applicants. It will finally create the condition for a harmonized supervision across Europe thanks to standardized process.
Last but not least well-design guidelines will also bring a greater confidence to payment Services Users in payment institutions, especially in a trans-border perspective, which could help to develop a real European market of payment services across the 28 Member States.
The proportionality principle should guide the work of the EBA. The precise identification of the service that will be provided is key, as well as the right and coherent approach to each payment service.
From an efficiency perspective we think that the option chosen by the EBA is the right approach in its principle. Applicants need to have a clear idea of all the documents that are mandatory to submit an application. This is why we think it would be useful to write in the guidelines that competent authority cannot impose new constraints without a prior validation by the EBA regarding the justification of those extra requirements. The Guidelines regarding the assessment of completeness of the application is decisive for a smooth implementation process at national level and to achieve the highest level of standardization across Europe.
LINXO, BANKIN and BUDGET INSIGHT are also in favor of the establishment of a list of information items that applicants would be required to submit, as this is more flexible in the time that a template.
Finally, we appreciate the effort done to take into account the specificities of payment initiation services (PIS) and account information services (AIS). Yet we strongly believe that option B would respect more the spirit of PSD2, as it acknowledges the inner differences between payments institutions, PIS and AIS. We claim that they both have specificities that require a different treatment from the other payment institutions. Therefore, we call the EBA to develop three successive sets of Guidelines, with a step-by-step approach, like a Russian doll, reflecting adequately the level of risk:
• one for applicants which provide account information services (AIS) (General Principles + Identification Details)
• one for applicants which provide payment initiative services (PIS) – knowing that the requirements for AIS are also automatically included
• one for applicants for authorization as electronic money institutions
• one for applicants which provide services 1 to 6 of Annex I of PSD2 – knowing that the requirements for AIS and PIS are also automatically included.
This new architecture will allow the guidelines to gain clarity as this is not always easy to understand and follow the various exclusions of the provisions described in part 4.1 of the guidelines. This will also allow the guidelines to be shorter by avoiding repetition of the same requirements for each category.
This step by step approach is also perfectly in line with the market reality as many AIS will turn to PIS in the coming years to answer their user’s expectations. Allowing the AIS to provide only the complementary elements required for PIS will ease the authorization procedure and the work of competent authorities. The customers will ultimately benefit from a more dynamic market of payment services.
There is no objective reason to incorporate in a same category, payment institutions providing the whole range of services of Annex I and PIS. A Russian Doll approach would be perfectly coherent with the risk associated to each category of services. PIS, like AIS, do not enter in possession of funds. Moreover, to transfer funds, there is always a strong customer authentication that is compulsory from the final user of PIS. The guidelines should have a specific approach to payments institutions whether they enter into possession of funds or not.
If we welcome the treatment granted to AIS with a reduced set of requirements, we do not see the rationale behind imposing almost the same level of information/requirements for payment institutions which enter into possession of funds and for PIS. PIS are not an electronic wallet, nor a bank. We strongly believe that the draft guidelines go far beyond the PSD2 requirements derived from article 5. We think that the Russian Doll approach would better fit with the PSD2’s objectives and would allow a better application of the proportionality measures.
Having in mind what we said above, LINXO, BANKIN and BUDGET INSIGHT would like to comment the relevance of some of the information required from applicants for the authorization as payment institutions for the provision of PIS. We claim that a specific set of requirements for PIS, on top of the requirements for AIS, will be the best approach. This is also in line with the tendency of the market as more and more AIS customers requires their service provider to also allow funds transfers from one account to another, changing progressively AIS into PIS.
• Regarding the “General Principles”, we share them with the concerns explained in question 7.
• Regarding the “Identification Details” and the “Programme of operations”, we have the same comments as we had for AIS (see question 5)
• Regarding the “Business plan”, we think that the marketing plan is irrelevant and burdensome. The only item that matters is our own capital projections to be sure that we are compliant.
• Regarding the “Structural organization”, more proportionality is necessary, especially as several PIS are start-ups. The same comments we made for AIS are applicable for PIS also.
• Regarding the “Evidence of initial capital”, we have no comment
• Regarding the “Governance arrangements and internal control mechanisms”, once again, more proportionality is necessary, especially as many PIS are start-ups. We think that several required items only add administrative burden, such as :
o the accounting procedures by the which the applicant will record and report its financial information
o a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the applicant’s internal controls
o the periodical control program, setting out the measures to be taken over the next three years to ensure a robust governance of the applicant
Our proposal would be only to describe the internal control procedure with the control processes, the regularity of the controls, the associated control and the typology of the reporting.
• Regarding the “Procedure to monitor, handle and follow up on a security incident and security related customer complaints” we have no comment and we think this is key to ensure the greatest’s confidence in PIS
• Regarding the “Process in place to file, monitor, track and restrict access to sensitive payment data” we have no comment on the list of requirements.
• Regarding Guidelines 11 « Business continuity arrangements”, 12 “The principles and definitions applicable to the collection of statistical data on performance, transactions and fraud” and 13 “Security policy document”, we have no specific comment.
• Regarding Guideline 14 “Internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations)”, the provisions are totally irrelevant for PIS. This misunderstanding of the peculiar nature of PIS advocates in favor of a separate treatment for PIS. Once again, PIS are only executing a client’s order. Moreover like AIS, PIS do not enter in possession of funds. This obligation involves only banks which have to do their work.
• Regarding Guideline 15 “Identity and suitability assessment of persons with qualified holdings in the applicant”, the provisions are irrelevant for PIS. Once again, PIS are only executing a client’s order. Moreover like AIS, PIS do not enter in possession of funds. The authentication procedures and funds transfers are the same towards the bank.
• Regarding Guideline 16 “Identity and suitability assessment of directors and persons responsible for the management of the payment institution”, we call for a better implementation of the proportionality principle for PIS in order to allow young professional to grow and enter the market.
• Regarding Guideline 17 “Identity of statutory auditors and audit firms” and Guideline 18 “Professional indemnity insurance or comparable guarantee for payment initiation services and account information services”, we have no comment.
To conclude, the set of mandatory document requested to applicant should take into account the size, the internal organisation and the nature, scale, and complexity of the activities. This is essential to create the condition for a level playing field. This is written as an objective in the guidelines but the application is clearly failing.
Having in mind what we said above, LINXO, BANKIN and BUDGET INSIGHT would like to comment the relevance some information that is required from applicants for registration for the provision of AIS. Our global vision is that there are several items that put an unnecessary administrative burden both for AIS and for the competent authority, without providing decisive information in terms of security or consumers’ protection.
• Regarding the “General Principles”, we share them with the concerns explained in question 7.
• Regarding the “Identification Details”, we have two concerns. One is linked with j) the register certificate of incorporation, as this is costly for a company to have it and it is irrelevant for the registration. The second is the fees applicable under national law, as this could impede the level playing field across Europe, if fees are applicable in some countries and not in others.
• Regarding the “Programme of operations”, we think that several provision are very vague such as the notion of “processing times” (it is difficult to identify what is it about – data processing? Transfer order? - and the relevance of such information). We have questions regarding the relevance of providing draft contracts between all the parties involved, as this requirement is also unclear: what parties are targeted? The same reasoning of unnecessary administrative burden is applicable to the number of different premises or the description of any ancillary services.
• Regarding the “Business plan” the requirements clearly exceed what is necessary for a sound registration. We do not see how the analysis of the payments market and globally the marketing plan will give elements for the CA to assess an application. Moreover, this will limit the market to the biggest entities which have the internal resources to elaborate those documents. Those requirements would clearly excluded start-ups from the market even though they bring innovation for the Europeans customers by providing answer to their needs. The marketing plan will impose costs on AIS and require time for CA to evaluate it, without bringing any added-value in terms of security or consumer protection. We call the EBA to delete those provisions on the business plan. The only important data to provide is the origin of funds of the AIS.
• Regarding the “Structural organisation”, and specifically point c) a description of outsourcing arrangements, we think that the guidelines could clarify what outsourcing arrangements are targeted. Indeed, the outsourcing of the commercial activity of the company is irrelevant. We think that the provisions on outsourcing should be clearly limited to banking connection and transfer of funds.
• Regarding the « Governance arrangements and internal control mechanisms », we would like to highlight that the requirements should be proportional to the activity of an AIS, and not only a copy paste of the requirements for payments institutions, as once again there is no possession of funds. For instance, we believe that this is irrelevant to request for instance :
o c) the accounting procedures by the which the applicant will record and report its financial information;
o j) the periodical control program, setting out the measures to be taken over the next three years to ensure a robust governance of the applicant ; (this is very burdensome and could even be a nonsense because AIS evolve in a fast innovations process)
• Regarding the “Procedure to monitor, handle and follow up on a security incident and security related customer complaints” we have no comment and we think this is key for any AIS to provide its customer with the best service and the strongest protection.
• Regarding the “Process in place to file, monitor, track and restrict access to sensitive payment data” we have no comment on the list of requirements. Yet we ask the EBA to clearly indicate that data related only to money activities which cannot be used to initiate a payment, are not considered as sensitive payment data. Data related to transactions on bank account: balances, rates, international securities identification numbers, debit cards, credit cards, current accounts, credits accounts, loans, mortgages, savings accounts, life insurance, trading accounts (…) should not be considered as sensitive payment data.
• Regarding the “Business continuity arrangements” we see as useless to request for AIS
o a) a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives, and protected assets;
o e) A description of the mitigation measures to be adopted by the applicant, in case of termination of its payment services activities, to avoid adverse effects on payment systems and on the payments services users, ensuring execution of pending payment transactions and termination of existing contracts – this is irrelevant for AIS
• Regarding the security policy document, our vision is that too many details are requested. The guidelines should focus on technologies and on data linked to the activity, everything else does not need lots of details (the support IT systems used for the organisation and administration of the account information service provider, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers, internal file servers). Moreover there are requirements that are applicable only to PIS and not to AIS :
o g) the security of the payment processes, with the exception of : the customer authentication procedure used for both, consultative, all items re relevant for PIS;
o h) a detailed risk assessment in relation to its payment services, including fraud and with a link to the control and mitigations explained in the application file, demonstrating that the risks are addressed;
• Regarding the “Identity and suitability assessment of Directors and persons responsible for the management of the account information service provider” we call for more proportionality as several AIS have been developed by young professional or students, who do not comply with the typical profile described in the guidelines. The suitability assessment (b) is irrelevant. The requirements will have as a consequence to exclude young entrepreneurs because they do not match with an ideal profile. Bankin and Budget Insight founders were students when they created their company; they are now among the leaders in Europe. This is also contradictory with the European policy objective to promote entrepreneurship and start-ups. The result of the guidelines should not be to block future innovation because of too descriptive profiles. A description of the President, Director General and technical director should be enough. It would be detrimental for future innovation to request a statement in relation to the individual’s requisite experience as enumerated, as appropriate, in the Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body. Indeed, those guidelines have a focus on banking activities and are highly inadequate for AISP. Regarding evidence of reputation, honesty, integrity (c), we think that the clean police record is enough. Last but not least, on information on financial and non-financial interests (d), the requirements are burdensome and not relevant as AIS do not manage nor access to funds.
• Regarding the “professional indemnity insurance or comparable guarantee” we have not comment.
Bankin, Budget insight and Linxo welcome the General principle 1.4:
“Institutions should take into account their size, internal organisation and the nature, scale, and complexity of their activities when developing and implementing policies and processes. In any event, in accordance with Directive (EU) 2015/2366, the directors and the persons responsible for the management of the payment institution are of good repute and possess appropriate knowledge and experience to perform payment services, regardless of the institution’s size, internal organisation and the nature, scope and the complexity of its activities and the duties and responsibilities of the specific position.”
=> But as we described it previously this principle failed to be implemented in the current guidelines because of too many unnecessary administrative requirements.
Article 12 of PSD2 provides that “within 3 months of receipt of an application or, if the application is incomplete, of all of the information required for the decision, the competent authorities shall inform the applicant whether the authorization is granted or refused. The competent authority shall give reasons where it refuses an authorization.”
Besides the process and this limit of three months, we ask the guidelines to require the competent authority to provide a shorter path for the submission of the missing information for an application that was refused because the file was not complete or because of involuntary mistakes. Indeed, it will be difficult for small and young companies, especially for AIS or PIS to start the process from the very beginning as this requires lots of energy and time. Likewise, a shorter procedure should be provided for AIS turning to PIS, in order to allow them to meet their client’s expectations. When an AIS turns to PIS, only the complementarity items (what is not requested for AIS) should be provided and not the whole set of requirements. This would greatly smooth the process for the competent authorities and allow a level playing field among start-ups and big more traditional players.
Last but not least, the guidelines should emphasis in echo with the PSD2, the continuity of service provided by stakeholders already providing their services before the entry into force of the DSP2. Customers should not be deprived of their services because a national competent authorities delays its approval or during the assessment period. In this perspective and given the limited resources of competent authorities at national level, a priority treatment should be granted for existing market players in order not to penalize the final customer.